Cyberattack Exposes I.R.S. Tax Returns

The I.R.S. building in Washington. The agency said that criminals had been able to view thousands of tax returns.CreditCreditDrew Angerer for The New York Times

By Jada F. Smith

May 26, 2015

WASHINGTON — Criminals used stolen data to gain access to past tax returns of more than 100,000 people through an application on the Internal Revenue Service’s website, the agency said on Tuesday.

Using Social Security numbers, birth dates, street addresses and other personal information obtained elsewhere, the criminals completed a multistep authentication process and requested the tax returns and other filings, the I.R.S. said. Information from those forms was used to file fraudulent returns, the I.R.S. said, and the agency sent nearly $50 million in refunds before it detected the scheme.

“We’re confident that these are not amateurs,” John Koskinen, the I.R.S. commissioner, said. “These actually are organized crime syndicates that not only we but everybody in the financial industry are dealing with.”

The agency has opened an investigation into the breach and has temporarily shut down the Get Transcript application, which was used to gain access to the information. Old tax returns are sometimes needed to apply for college loans or mortgages, and taxpayers can still request the records by mail.

More than 200,000 attempts to view the past returns using stolen information were made from February to mid-May, and about half were successful. It is unclear whether the criminals were operating inside or outside the United States.

Video

Four easy tips to protect your digital accounts from the next breach.CreditCreditMel Evans/Associated Press

Dealing with fraudulent tax claims has been a challenge for the I.R.S. as online crime has grown more sophisticated in recent years. The agency paid $5.8 billion in falsely claimed refunds in 2013.

“Eighty percent of the identity theft we’re dealing with and refund fraud is related to organized crime here and around the world,” Mr. Koskinen said at a news conference on Tuesday. “These are extremely sophisticated criminals with access to a tremendous amount of data.”

The I.R.S. said the attackers exploited data, like email addresses and passwords gleaned from other breaches, to answer basic authentication questions about subjects like birth dates or the names of family members. After recent breaches at the health insurer Anthem and Home Depot, security experts note that users’ personal information is now widely available to hackers, who can buy it from criminal websites.

“This is a wake-up call that breaches have a compounding effect and the stakes are getting higher,” said Eric Chiu, a security expert who is the president of HyTrust, a cloud computing security company. “Attackers are on the hunt for our personal and financial information using data stolen from other breaches to gain a larger amount of information on those same individuals.”

The consequence, Mr. Chiu said, “could be devastating to consumers — attacks can potentially open new accounts, siphon off funds and ultimately steal identities of victims.”

After the I.R.S. disclosed the breach, security experts criticized the agency for not adding more context to the authentication questions, or using a so-called multifactor system that sends users a second password via their mobile phone. Experts also criticized the agency for not deploying technology that looks for suspicious activity, such as multiple sign-in attempts from the same device, or encrypting sensitive information.

But Mr. Koskinen said that the I.R.S. had stopped almost three million suspicious returns this year, and officials say that new computer filters that look for anomalies have helped prevent identity theft.

Senate Finance Committee aides said Mr. Koskinen called the committee’s chairman, Senator Orrin G. Hatch, Republican of Utah, late last week to notify him of the breach. The committee kept it quiet while law enforcement officials opened the investigation.

Word of the breach prompted Republicans to increase their attacks on the tax collection agency, which has faced criticism since revelations that the I.R.S. had intentionally targeted political organizations for extra scrutiny of their tax-exempt applications.

“That the I.R.S. — home to highly sensitive information on every single American and every single company doing business here at home — was vulnerable to this attack is simply unacceptable,” Mr. Hatch said. “What’s more, this agency has been repeatedly warned by top government watchdogs that its data security systems are inadequate against the growing threat of international hackers and data thieves.”

But the breach is also likely to prompt the Obama administration to redouble its efforts to increase the I.R.S.’s budget, which has been cut 18 percent since 2010, adjusting for inflation. Since 2010, the agency has shed more than 13,000 employees, or 14 percent of the work force, with nearly 10,000 lost jobs coming from the enforcement staff, which is down 20 percent since 2010.

Representative Sander M. Levin, Democrat of Michigan and the ranking member of the House Ways and Means Committee, said he had spoken with Mr. Koskinen, who assured him that the I.R.S. was getting to the bottom of the problem. “It is important that members of Congress work together to ensure that the I.R.S. has adequate resources to carry out the vital priority of protecting confidential taxpayer information,” Mr. Levin said.

The agency sent letters to the taxpayers whose accounts had been compromised, and it will offer them free credit monitoring. The I.R.S. said its main computer system, which handles tax filings, had not been breached.

“During this filing season, taxpayers successfully and safely downloaded a total of approximately 23 million transcripts,” the agency said.

Jonathan Weisman contributed reporting from Washington and Nicole Perlroth from San Francisco.

A version of this article appears in print on , on Page B1 of the New York edition with the headline: I.R.S. Breach Exposes Data of Taxpayers. Order Reprints | Today’s Paper | Subscribe